Examice

Exam SPLK-1003 All QuestionsBrowse all questions from this exam

Question 11

This file has been manually created on a universal forwarder:

/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf

[monitor:///var/log/messages]

sourcetype=syslog

index=syslog

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file:

/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf

[monitor:///var/log/maillog]

sourcetype=maillog

index=syslog

Which file is now monitored?

/var/log/messages

/var/log/maillog

/var/log/maillog and /var/log/messages

none of the above

Correct Answer: B

When a universal forwarder connects to a deployment server, it pulls down the app configurations from the deployment server, overwriting any existing configurations of the same app. In this case, the new inputs.conf file being deployed by the deployment server specifies monitoring the /var/log/maillog file. The original inputs.conf file on the universal forwarder, which specified monitoring the /var/log/messages file, will be overwritten. Therefore, the file that is now monitored is /var/log/maillog.

Discussion

StresspleinOption: B

https://answers.splunk.com/answers/728155/what-happens-if-you-deploy-an-inputsconf-from-a-ds.html B

ApisOption: B

B is correct. Apps from deployment server will overwrite any existing configuration

tony123Option: B

Once UF (DS client) connects DS server, it will pull the /opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf from DS server , so B is the correct answer.

Sandy_1988Option: B

B is the correct answer

bobixakaOption: B

The client phones home to the DS, performs a checksum match on the apps and configs, finds a mismatch in that particular app and conf file, downloads the app from the DS and overwrites the mismatched inputs.conf

ZeusPOption: B

B is correct as soon as UF try to connect with DS it will pull updated conf and over write the existing conf.

sargeholikOption: B

b correct answer

sergito095Option: C

I think that the C is the correct answer, because inputs.conf file from forwarder is set up to monitor "messages" file and "maillog" file is monitored by Depolyment Server. Files are differents.

Ashton_98

That would be true if they didn't have the same app name. When you deploy an app with the same name, it will overwrite the inputs.conf file instead of merging.

Hamiltonian

It doesn't matter. The DS is deploying the configuration setting sunder the given app name. The forwarder, once cnnected to the DS, will do whatever the DS tells it to do from the app configuration settings.

mkerOption: A

A is the correct answer, becouse the file inputs.conf will by overwrite by deployment

mker

sorry B is the correct

InfoSec_RC53

This is a great example of the poorly written questions in a Splunk exam. Notice the path, it is in the "deployment-apps" folder which means it is on the DS, not the forwarder. Once it gets to the forwarder, it will then overwrite the inputs, and be located in the $SPLUNK_HOME/etc/apps folder.

gibla1929Option: B

deployment client will reinstall the app with the same name that matches its expected hash.

pucca012Option: A

A is the correct answer, because the local always take precedence.

Hamiltonian

This question has nothing to do with precedence. In the first case, the inputs.conf is written locally on the forwarder. In the second case, this original inputs.conf is overwritten by the new inputs.conf settings because the configurations been redeployed from a DS.

Hamiltonian

Better to say "deployed" rather than redeployed, because it's the first time a DS is being used with the forwarder.